About this blog:

This site began life in 2009 as a spinoff from PogoWasRight.org after the number of breaches in 2008 made me realize I needed a separate site just for breaches.


The author and publisher, “Dissent Doe,” has consulting contracts with a few clients who are in fields related to topics covered on this site. Those clients understand that their consulting contract with the author does not entitle them to any special treatment or consideration on this site. DataBreaches.net also provides data and statistical analyses to Protenus for their Breach Barometer reports.

About “Dissent Doe, PhD”

I’m not a security professional.  I’m a licensed health care professional who is passionate about protecting privacy. I hope that exposing the scope and seriousness of breaches – large and small – will help inform policymaking and decisions about allocating resources to data security. My background as a researcher and academic before turning clinician helps explain my involvement in research on breaches. My background as a mental health professional may help explain my interest and curiosity about those who hack.

“You’ve Got it All Wrong! You’re So Unfair! You’re a Hacker!”

This site is a combination of news aggregation, investigative reporting, and commentary. You may disagree with my reporting or be offended by my opinions. If you think I’ve erred in my reporting, email and let me know what you think I got wrong. If you don’t like my commentary on a situation or on your handling of an incident, you’re free to send a statement for me to consider posting.

If you want to send me legal threats about my reporting or comments, knock yourself out, but don’t be surprised to see me report on your threat, any confidentiality sig blocks you may attach notwithstanding. I have been threatened with lawsuits many times, and to be blunt: there is NOTHING you can threaten me with that will scare me even 1/10th as much as the day both my kids got their driver’s licenses within 15 minutes of each other.

To contact me about this blog, email breaches[at]databreaches.net.  If you wish to use end-to-end encryption for email, use my breaches[at]protonmail.ch address. For phone, use +1[516]776.7756 and get rid of the brackets and punctuation.

Original material on this site by Dissent Doe is copyright DataBreaches LLC or Lee Johnstone.

If You Get an Email from This Site or a Phone Call:

On a regular basis, I am contacted by researchers and asked to help notify companies or entities who have a data leak or breach that they do not know about. In such circumstances, I generally try email or a site’s on-site contact form if they have one. I may also use the phone.  Sometimes, I may reach out to entities via LinkedIn or DM on Twitter. I am very determined when trying to alert an entity that they have a leak or a breach.

I understand that in this day and age, people are suspicious of what they might fear are phishing attempts.  So look at the email carefully. You will not be able to tell anything about my location because of the email service I use, but I do include my phone number, and I use the same phone number for this site:  +1 516-776-7756.  Any email will likely come from the databreaches.net domain. If that domain is blocked by your system, I may try using breaches[at]protonmail.ch to reach you.  In many cases, the emails will be signed with my real name. In some cases, they may just be signed “Dissent.”

Please note that notifying you of your leak or data security problem is not my job. And it is not my job to keep trying to get through to you to make you realize you have a problem. If I have to keep trying, I tend to get testy. If you ignore attempts to alert you, I may start tweeting publicly about why your company isn’t responding to notifications.

You can help yourself avoid a PR or regulatory nightmare by ensuring that you have clearly displayed ways for people to notify  you of any data security concerns and by training your staff to escalate notifications. If they are concerned that the notifications are fake or a potential scam, they should not click on any links, but they should still get a supervisor involved or someone who can pursue the notice to determine if it’s real.

I hope I never have to contact you, but if I do, I hope you take the notification seriously.

This page was last updated on April 10, 2023 to remove the option to try to contact me on Twitter. I am no longer there. I am on Mastodon as pogowasright[at]infosec.exchange.